git:janakj/postgres: - bugfix for (small) potential buffer overflow in BLOB escaping - sr-dev

18 Feb 2009

Module: sip-router
Branch: janakj/postgres
Commit: 5bea0d904ef95a2813c10c7d77f1d1a03959f29d
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5bea0d90...
Author: Henning Westerholt henning.westerholt@1und1.de
Committer: Henning Westerholt henning.westerholt@1und1.de
Date:   Mon Feb 11 14:40:27 2008 +0000
- bugfix for (small) potential buffer overflow in BLOB escaping
git-svn-id: https://openser.svn.sourceforge.net/svnroot/openser/trunk@3680 689a6050-402a-0410-94f2-e92a70836424
---
modules/db_postgres/km_db_val.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/modules/db_postgres/km_db_val.c b/modules/db_postgres/km_db_val.c
index ee0e45c..c5b914b 100644
--- a/modules/db_postgres/km_db_val.c
+++ b/modules/db_postgres/km_db_val.c
@@ -263,6 +263,7 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int*
case DB_BLOB:
    	l = VAL_BLOB(_v).len;
+		/* this estimation is not always correct, thus we need to check later again */
    	if (*_len < (l * 2 + 3)) {
    		LM_ERR("destination buffer too short for blob\n");
    		return -7;
@@ -275,6 +276,10 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int*
    			LM_ERR("PQescapeBytea failed\n");
    			return -7;
    		}
+			if (tmp_len > *_len) {
+				LM_ERR("escaped result too long\n");
+				return -7;
+			}
    		memcpy(_s, tmp_s, tmp_len);
    		PQfreemem(tmp_s);
    		tmp_len = strlen(_s);

    